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The  Importance  of  Designating 
Cyberspace  Weapon  Systems 

Brig  Gen  Robert  J.  Skinner,  USAF 


Joint  Publication  1-02,  Department  of  Defense  Dictionary  of  Military 
and  Associated  Terms ,  defines  weapon  system  as  "a  combination  of 
one  or  more  weapons  with  all  related  equipment,  materials,  ser¬ 
vices,  personnel,  and  means  of  delivery  and  deployment  (if  applicable) 
required  for  self-sufficiency.”1  When  one  thinks  of  the  US  Air  Force  and 
weapon  systems,  the  B-2  Spirit  stealth  bomber,  F-15E  Strike  Eagle 
fighter  jet,  or  F-16  Fighting  Falcon  aircraft  quickly  come  to  mind.  Even 
the  Minuteman  III  missile,  the  Global  Positioning  System,  or  KC-135 
Stratotanker  air  refueling  aircraft  could  become  part  of  the  discussion 
because,  after  all,  the  Air  Force's  mission  is  to  hy,  fight,  and  win  in  air, 
space,  and  cyberspace.  These  assets,  which  fall  under  the  air  and 
space  umbrella,  have  served  as  tried  and  true  weapon  systems  for 
many  years.  The  Air  Force  has  now  added  to  the  long  line  of  its 
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weapon  systems  that  support  cyberspace  operations  "the  employment 
of  cyberspace  capabilities  where  the  primary  purpose  is  to  achieve  ob¬ 
jectives  in  or  through  cyberspace.”  These  systems  are  unique  in  that 
they  are  tied  to  the  newest  domain  of  cyber— "a  global  domain  within 
the  information  environment  consisting  of  the  interdependent  net¬ 
work  of  information  technology  infrastructures  and  resident  data,  in¬ 
cluding  the  Internet,  telecommunications  networks,  computer  sys¬ 
tems,  and  embedded  processors  and  controllers.”2 

On  24  March  2013,  the  chief  of  staff  of  the  Air  Force  approved  the  of¬ 
ficial  designation  of  six  cyberspace  weapon  systems  under  the  lead  of 
Air  Force  Space  Command  (AFSPC),  which  is  responsible  for  organiz¬ 
ing  these  systems,  equipping  units  with  them,  and  training  individuals 
to  use  the  systems.  The  Air  Force's  provision  of  global  reach,  power, 
and  vigilance  across  the  domains  of  air  and  space  now  applies  to  the 
cyberspace  domain  through  the  designation  of  the  following  cyber¬ 
space  weapon  systems: 

•  Air  Force  Cyberspace  Defense 

•  Cyberspace  Defense  Analysis 

•  Cyberspace  Vulnerability  Assessment  /  Hunter 

•  Air  Force  Intranet  Control 

•  Air  Force  Cyber  Security  and  Control  System 

•  Cyber  Command  and  Control  Mission  System 

Although  the  names  may  imply  some  duplication  of  effort  with  re¬ 
spect  to  these  capabilities,  the  personnel  and  equipment  that  comprise 
these  systems  perform  unique  missions  and  complement  each  other. 
All  of  them  focus  on  providing  and  securing  cyberspace  as  a  mission 
enabler  and  protecting  critical  information  while  defending  our  net¬ 
works  from  attack.  Any  consideration  of  the  capabilities  of  these 
weapon  systems  would  benefit  from  comparing  this  suite  of  cyber¬ 
space  weapon  systems  to  the  Air  Force's  military  airlift  weapon  sys¬ 
tems  (the  C-5,  C-17,  C-130,  etc.),  each  of  which  contributes  uniquely  to 
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the  overall  air  mobility  mission.  Just  as  clear  distinctions  exist  among 
these  platforms,  based  upon  the  operational  capabilities  required,  so 
do  the  cyberspace  weapon  systems  differ  from  each  other.  The  sys¬ 
tems  may  have  overlapping  mission  areas,  but  they  are  complemen¬ 
tary  in  much  the  same  way  as  our  airlift  platforms— they  offer  compre¬ 
hensive  capabilities. 

Revelations  of  Chinese  activities  on  our  networks,  as  outlined  earlier 
this  year  in  the  Mandiant  Company’s  report  titled  Advanced  Persistent 
Threat  (APT)  1:  Exposing  One  of  China's  Cyber  Espionage  Units,  emphasize 
the  urgent  need  for  the  Air  Force  and  the  nation  to  develop  capabilities 
to  defend  this  critical  domain  and  thereby  ensure  information  superior¬ 
ity.  The  report  illustrates  the  persistent  threat,  noting  that  "the  details 
we  have  analyzed  during  hundreds  of  investigations  convince  us  that 
the  groups  conducting  these  activities  are  based  primarily  in  China  and 
that  the  Chinese  Government  is  aware  of  them.  .  .  .  Our  analysis  has 
led  us  to  conclude  that  APT1  is  likely  government-sponsored  and  one 
of  the  most  persistent  of  China's  cyber  threat  actors.”  The  Mandiant  re¬ 
port  on  APT  1  highlights  only  one  of  more  than  20  APT  groups  based  in 
China,  tracking  this  single  group  to  cyber  attacks  on  nearly  150  victims 
over  seven  years  with  hundreds  of  terabytes  of  data  exhitrated.3 
Clearly,  though,  this  discussion  does  not  confine  itself  to  any  particular 
adversary.  Many  aggressors  inhabit  the  cyberspace  domain,  and  the  ex¬ 
ecutor  of  these  activities  ranges  from  an  individual  in  the  basement  of 
his  house,  to  groups  of  individuals  working  as  teams,  to  nation-states. 
Their  intentions  can  also  cover  a  spectrum  of  activities,  including  es¬ 
pionage,  theft  of  intellectual  capital,  organized  crime,  identity  theft, 
military  operations,  and  so  forth. 

This  article  examines  each  weapon  system,  highlights  its  history  and 
unique  capabilities,  and  describes  the  specific  units  that  operate  the 
system.  It  then  discusses  the  importance  of  classifying  these  capabili¬ 
ties  as  "weapon  systems,"  illustrating  how  they  directly  address  the 
threats  we  face  today.  Before  doing  so,  however,  the  article  presents  a 
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stage-setting  vignette  to  establish  an  understanding  of  weapon  system 
capabilities  and  their  employment  against  an  adversary. 

Assume  that  you  are  a  government  civilian  sitting  at  your  desk  at  a 
major  command  headquarters  when  you  receive  an  e-mail  concerning 
sequestration  and  a  potential  furlough.  Included  in  the  e-mail  is  a  link 
to  a  website  for  more  information.  You  attempt  to  open  the  link  but  re¬ 
ceive  an  error  message.  You  try  again  with  the  same  result.  You  then 
resume  work  on  your  tasks.  Unknown  to  you,  the  link  has  directed 
you  to  a  malicious  web  server  that  downloaded  malware  enabling  an 
adversary  to  take  command  of  your  desktop  computer.  How  could  this 
occur,  and  why  would  anyone  specifically  target  you?  Actually,  it  was 
not  difficult.  Remember  the  conference  you  attended  a  few  months 
ago,  before  temporary  duty  became  restricted?  The  adversary  lifted 
your  e-mail  address  from  the  conference  sign-in  sheet,  also  available  to 
the  event  sponsors.  Why  you?  Adversaries  consider  your  unique  exper¬ 
tise  and  access  to  valuable  information  a  "target-rich  environment.” 
Only  one  person  needs  to  click  on  the  link  to  initiate  a  series  of  mali¬ 
cious  actions.  Because  the  adversary  left  no  hint  of  a  problem  on  your 
computer,  he  now  has  unfettered  access  to  that  unclassified  but  useful 
information. 

How  does  the  Air  Force  combat  such  intrusions?  Actually,  the  best 
defense  for  phishing  attacks  is  user  education.  However,  these  attacks 
are  becoming  more  sophisticated  and  sometimes  almost  impossible  to 
identify.  All  of  the  services  have  cyberspace  units  responsible  for  net¬ 
work  defense.  In  this  case,  network  traffic  monitoring  tips  off  the  Air 
Force  to  the  intrusion  on  your  desktop  computer.  A  network  operations 
unit  identifies  an  unusual  amount  of  traffic  leaving  your  base  directed 
to  addresses  in  another  country.  The  unit  notifies  the  624th  Operations 
Center,  including  Air  Force  Office  of  Special  Investigations  personnel, 
and  the  center  begins  command  and  control  (C2)  and  law  enforcement 
efforts  to  address  the  event.  Cyberspace  forensics  experts  are  dis¬ 
patched  to  review  the  situation,  not  only  locating  the  "infected”  equip¬ 
ment  but  also  determining  how  the  adversary  accessed  the  Air  Force 
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system.  Cyberspace  C2  dispatches  cyber  operations  risk-assessment 
personnel  to  survey  the  situation,  determine  the  exact  data  exfiltrated, 
and  assess  the  damage.  The  Air  Force  computer  emergency  response 
team  (AFCERT)  examines  your  base's  computers  and  other  hardware 
to  footprint  exact  infiltration  methods,  using  them  to  develop  (and 
share)  defensive  actions  specific  to  the  threat  and  glean  any  new  tac¬ 
tics,  techniques,  and  procedures.  The  AFCERT  pushes  patches  to  all 
Air  Force  desktop  computers  to  combat  future  attempts  to  employ  this 
technique;  it  will  support  your  base  on  further  network  cleanup  and 
hardening.  Now  that  we  have  described  an  attack  from  50,000  feet,  let 
us  delve  deeper  into  the  weapon  systems  and  units  that  carry  out 
these  missions. 


Air  Force  Cyberspace  Defense  Weapon  System 

The  Air  Force  Cyberspace  Defense  (ACD)  weapon  system  prevents, 
detects,  responds  to,  and  provides  forensics  of  intrusions  into  unclassi¬ 
fied  and  classified  networks.  Operated  by  the  33d  Network  Warfare 
Squadron  (NWS),  located  at  Joint  Base  San  Antonio-Lackland,  Texas, 
and  the  Air  National  Guard's  102d  NWS,  located  at  Quonset  Air  Na¬ 
tional  Guard  Base,  Rhode  Island,  the  ACD  weapon  system  supports  the 
AFCERT  in  fulfilling  its  responsibilities.  The  crews  for  this  weapon  sys¬ 
tem  consist  of  one  cyberspace  crew  commander,  one  deputy  crew 
commander,  one  cyberspace  operations  controller,  and  33  cyberspace 
analysts,  all  of  them  supported  by  additional  mission  personnel. 

The  ACD  weapon  system  evolved  from  the  AFCERT,  which  has  pri¬ 
mary  responsibility  for  coordinating  the  former  Air  Force  Information 
Warfare  Center's  technical  resources  to  assess,  analyze,  and  mitigate 
computer  security  incidents  and  vulnerabilities.  The  weapon  system 
offers  continuous  monitoring  and  defense  of  the  Air  Force's  unclassi¬ 
fied  and  classified  networks,  operating  in  four  subdiscipline  areas: 
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1.  incident  prevention:  protects  Air  Force  networks  (AFNet)  against 
new  and  existing  malicious  logic;  assesses  and  mitigates  known 
software  and  hardware  vulnerabilities. 

2.  incident  detection:  conducts  monitoring  of  classified  and  unclassi¬ 
fied  AFNets;  identifies  and  researches  anomalous  activity  to  de¬ 
termine  problems  and  threats  to  networks;  monitors  real-time 
alerts  generated  from  network  sensors;  performs  in-depth  re¬ 
search  of  historical  traffic  reported  through  sensors. 

3.  incident  response:  determines  the  extent  of  intrusions;  develops 
courses  of  action  required  to  mitigate  threat(s);  determines  and 
executes  response  actions. 

4.  computer  forensics:  conducts  in-depth  analysis  to  determine 
threats  from  identified  incidents  and  suspicious  activities;  as¬ 
sesses  damage;  supports  the  incident  response  process,  capturing 
the  full  impact  of  various  exploits;  reverse-engineers  code  to  de¬ 
termine  the  effect  on  the  network/ system. 


Cyberspace  Defense  Analysis  Weapon  System 

The  Air  Force  Cyberspace  Defense  Analysis  (CDA)  weapon  system 
conducts  defensive  cyberspace  operations  by  monitoring,  collecting, 
analyzing,  and  reporting  on  sensitive  information  released  from 
friendly  unclassified  systems,  such  as  computer  networks,  telephones, 
e-mail,  and  US  Air  Force  websites.  CDA  is  vital  to  identifying  opera¬ 
tions  security  disclosures.  The  weapon  system  is  operated  by  three  ac¬ 
tive  duty  units  (68  NWS;  352  NWS;  and  352  NWS,  Detachment  1)  and 
two  Air  Force  Reserve  units  (860th  Network  Warfare  Flight  and  960th 
Network  Warfare  Flight)  located  at  Joint  Base  San  Antonio-Lackland, 
Texas;  Joint  Base  Pearl  Harbor-Hickam  Field,  Hawaii;  Ramstein  Air 
Base,  Germany;  and  Offutt  AFB,  Nebraska.  The  crews  for  this  weapon 
system  consist  of  one  cyberspace  operations  controller  and  three  cy¬ 
berspace  defense  analysts.  All  mission  crews  receive  support  from  ad¬ 
ditional  mission  personnel. 
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The  CDA  weapon  system’s  two  variants  are  designed  to  monitor,  col¬ 
lect,  analyze,  and  report  on  official  Air  Force  information  transmitted 
via  unsecured  telecommunications  systems  to  determine  whether  any 
of  it  is  sensitive  or  classified.  The  system  reports  compromises  to  held 
commanders,  operations  security  monitors,  or  others,  as  required,  to 
determine  potential  effects  and  operational  adjustments.  The  second 
variant  provides  additional  functionality  to  conduct  information  dam¬ 
age  assessment  based  on  network  intrusions,  coupled  with  an  assess¬ 
ment  of  Air  Force  unclassified  websites.  Only  the  68  NWS  operates  the 
second  variant. 

The  CDA  weapon  system  supplies  monitoring  and/ or  assessment  in 
six  subdiscipline  areas: 

1 .  telephony:  monitors  and  assesses  Air  Force  unclassified  voice 
networks. 

2.  radio  frequency:  monitors  and  assesses  Air  Force  communications 
within  the  VHF,  UHF,  FM,  HF,  and  SHF  frequency  bands  (mobile 
phones,  land  mobile  radios,  and  wireless  local  area  networks). 

3.  e-mail:  monitors  and  assesses  unclassified  Air  Force  e-mail  traffic 
traversing  the  AFNet. 

4.  Internet-based  capabilities:  monitor  and  assess  information  that 
originates  within  the  AFNet  that  is  posted  to  publicly  accessible 
Internet-based  capabilities  not  owned,  operated,  or  controlled  by 
the  Department  of  Defense  (DOD)  or  the  federal  government. 

5.  cyberspace  operational  risk  assessment  (found  within  the  second 
variant  operated  by  the  68  NWS):  assesses  data  compromised 
through  intrusions  of  AFNets  with  the  objective  of  determining 
the  associated  effect  on  operations  resulting  from  that  data  loss. 

6.  web  risk  assessment  (found  within  the  second  variant  operated 
by  the  68  NWS):  assesses  information  posted  on  unclassified  pub¬ 
lic  and  private  websites  owned,  leased,  or  operated  by  the  Air 
Force  in  order  to  minimize  its  exploitation  by  an  adversary,  di¬ 
minishing  any  adverse  affect  on  Air  Force  and  joint  operations. 
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Cyberspace  Vulnerability 
Assessment  /  Hunter  Weapon  System 

The  Air  Force  Cyberspace  Vulnerability  Assessment  (CVA)  /  Hunter 
weapon  system  executes  vulnerability,  compliance,  defense,  and  non¬ 
technical  assessments,  best-practice  reviews,  penetration  testing,  and 
hunter  missions  on  Air  Force  and  DOD  networks  and  systems.  Hunter 
operations  characterize  and  then  eliminate  threats  for  the  purpose  of 
mission  assurance.  This  weapon  system  can  perform  defensive  sorties 
worldwide  via  remote  or  on-site  access.  The  CVA/Hunter  weapon  sys¬ 
tem  is  operated  by  one  active  duty  unit,  the  92d  Information  Opera¬ 
tions  Squadron,  located  at  Joint  Base  San  Antonio-Lackland,  Texas, 
and  one  Guard  unit,  the  262  NWS,  located  at  Joint  Base  Lewis-McChord, 
Washington.  Additionally,  two  Guard  units  are  in  the  process  of  con¬ 
verting  to  this  mission:  the  143d  Information  Operations  Squadron  lo¬ 
cated  at  Camp  Murray,  Washington,  and  the  261  NWS  located  at  Sepul¬ 
veda  Air  National  Guard  Station,  California.  The  crews  for  this  weapon 
system  consist  of  one  cyberspace  crew  commander,  one  to  four  cyber¬ 
space  operators,  and  one  to  four  cyberspace  analysts.  Additional  mis¬ 
sion  personnel  support  all  of  the  mission  crews.  Developed  by  the  for¬ 
mer  Air  Force  Information  Operations  Center,  the  CVA/Hunter 
weapon  system  was  fielded  to  the  688th  Information  Operations  Wing 
in  2009. 

Historically,  vulnerability  assessments  proved  instrumental  to  mis¬ 
sion  assurance  during  Operations  Enduring  Freedom  and  Iraqi  Free¬ 
dom.  CVAs  continue  to  provide  this  vital  capability.  Additionally,  they 
now  serve  as  the  first  phase  of  hunting  operations.  The  hunter  mission 
grew  out  of  the  change  in  defensive  cyber  strategy  from  "attempt  to 
defend  the  whole  network”  to  "mission  assurance  on  the  network,”  of¬ 
fering  an  enabling  capability  to  implement  a  robust  defense-in-depth 
strategy.  CVA/Hunter  weapon  system  prototypes  have  participated  in 
real-world  operations  since  November  2010.  The  weapon  system  at¬ 
tained  initial  operational  capability  in  June  2013. 
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Designed  to  identify  vulnerabilities,  the  CVA/Hunter  gives  com¬ 
manders  a  comprehensive  assessment  of  the  risk  of  existing  vulnera¬ 
bilities  on  critical  mission  networks.  It  is  functionally  divided  into  a 
mobile  platform  used  by  operators  to  conduct  missions  either  on  site 
or  remotely,  a  deployable  sensor  platform  to  gather  and  analyze  data, 
and  a  garrison  platform  that  provides  needed  connectivity  for  remote 
operations  as  well  as  advanced  analysis,  testing,  training,  and  ar¬ 
chiving  capabilities.  Specifically,  the  hunter  mission  focuses  on  find¬ 
ing,  fixing,  tracking,  targeting,  engaging,  and  assessing  the  advanced, 
persistent  threat. 

During  active  engagements,  the  CVA/Hunter  weapon  system,  in 
concert  with  other  friendly  network  defense  forces,  provides  TWenty- 
Fourth  Air  Force  /  Air  Forces  Cyber  and  combatant  commanders  a  mo¬ 
bile  precision-protection  capability  to  identify,  pursue,  and  mitigate  cy¬ 
berspace  threats.  It  can  be  armed  with  a  variety  of  modular  capability 
payloads  optimized  for  specific  defensive  missions  and  designed  to 
produce  specific  effects  in  cyberspace.  Each  CVA/Hunter  crew  can 
conduct  a  range  of  assessments,  including  vulnerability,  compliance, 
and  penetration  testing,  along  with  analysis  and  characterization  of 
data  derived  from  these  assessments.  The  weapon  system's  payloads 
consist  of  commercial-off-the-shelf  and  government-off-the-shelf  hard¬ 
ware  and  software,  including  Linux  and  Windows  operating  systems 
loaded  with  customized  vulnerability-assessment  tools. 


Air  Force  Intranet  Control  Weapon  System 

The  Air  Force  Intranet  Control  (AFINC)  weapon  system  is  the  top- 
level  boundary  and  entry  point  into  the  Air  Force  Information  Net¬ 
work,  controlling  the  flow  of  all  external  and  interbase  traffic  through 
standard,  centrally  managed  gateways.  The  AFINC  weapon  system 
consists  of  16  gateway  suites  and  two  integrated  management  suites. 
Operated  by  the  26th  Network  Operations  Squadron  (NOS)  located  at 
Gunter  Annex,  Montgomery,  Alabama,  AFINC  has  crews  consisting  of 
one  crew  commander,  one  deputy  crew  commander,  one  cyberspace 
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operations  crew  chief,  two  operations  controllers,  two  cyberspace  op¬ 
erators,  and  three  event  controllers,  all  of  them  supported  by  addi¬ 
tional  mission  personnel. 

The  AFINC  weapon  system  replaces  and  consolidates  regionally 
managed,  disparate  AFNets  into  a  centrally  managed  point  of  access 
for  traffic  through  the  Air  Force  Information  Network.  It  delivers  net¬ 
work-centric  services,  enables  core  services,  and  offers  greater  agility 
to  take  defensive  actions  across  the  network.  AFINC  integrates  net¬ 
work  operations  and  defense  via  four  subdiscipline  areas: 

1 .  defense-in-depth:  delivers  an  enterprise-wide  layered  approach 
by  integrating  the  gateway  and  boundary  devices  to  provide  in¬ 
creased  network  resiliency  and  mission  assurance. 

2.  proactive  defense:  conducts  continuous  monitoring  of  AFNet  traf¬ 
fic  for  response  time,  throughput,  and  performance  to  ensure 
timely  delivery  of  critical  information. 

3.  network  standardization:  creates  and  maintains  standards  and 
policies  to  protect  networks,  systems,  and  databases;  reduces 
maintenance  complexity,  downtime,  costs,  and  training  require¬ 
ments. 

4.  situational  awareness:  delivers  network  data  flow,  traffic  patterns, 
utilization  rates,  and  in-depth  research  of  historical  traffic  for 
anomaly  resolution. 


Air  Force  Cyber  Security 
and  Control  System  Weapon  System 

The  Air  Force  Cyber  Security  and  Control  System  (CSCS)  weapon 
system  provides  network  operations  and  management  functions 
around  the  clock,  enabling  key  enterprise  services  within  the  Air 
Force's  unclassified  and  classified  networks.  It  also  supports  defensive 
operations  within  those  AFNets.  CSCS  is  operated  by  two  active  duty 
NOSs,  one  Air  National  Guard  Network  Operations  Security  Squadron, 
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and  two  Air  Force  Reserve  Command  Associate  NOSs  aligned  with  the 
active  duty  squadrons.  The  83  NOS  and  860  NOS  are  located  at  Lang¬ 
ley  AFB,  Virginia;  the  561  NOS  and  960  NOS  at  Peterson  AFB,  Colo¬ 
rado;  and  the  299th  Network  Operations  Security  Squadron  at  McCon¬ 
nell  AFB,  Kansas.  Crews  for  this  weapon  system  consist  of  one 
cyberspace  crew  commander,  one  cyberspace  operations  controller,  an 
operations  flight  crew  (conducting  boundary,  infrastructure,  network 
defense,  network  focal  point,  and  vulnerability-management  func¬ 
tions),  and  an  Enterprise  Service  Unit  (supplying  messaging  and  col¬ 
laboration,  directory  and  authentication  services,  storage  and  virtual¬ 
ization  management,  and  monitoring  management).  Additional 
mission  personnel  support  all  of  the  mission  crews. 

The  CSCS  resulted  from  an  operational  initiative  to  consolidate  nu¬ 
merous  major  command-specific  networks  into  a  centrally  managed 
and  controlled  network  under  three  integrated  network  operations 
and  security  centers.  In  2007  the  Air  Force  established  two  active  duty 
NOSs  to  provide  these  functions.  The  Air  National  Guard  Network  Op¬ 
erations  Security  Squadron  does  the  same  for  the  Guard’s  bases  and 
units. 

The  CSCS  weapon  system  performs  network  operations  and  fault- 
resolution  activities  designed  to  maintain  operational  networks.  Its 
crews  monitor,  assess,  and  respond  to  real-time  network  events;  iden¬ 
tify  and  characterize  anomalous  activity;  and  take  appropriate  re¬ 
sponses  when  directed  by  higher  headquarters.  The  system  supports 
real-time  filtering  of  network  traffic  into  and  out  of  Air  Force  base- 
level  enclaves  and  blocks  suspicious  software.  CSCS  crews  continu¬ 
ously  coordinate  with  base-level  network  control  centers  and  commu¬ 
nications  focal  points  to  resolve  network  issues.  Additional  key 
capabilities  include  vulnerability  identification  and  remediation  as 
well  as  control  and  security  of  network  traffic  entering  and  exiting  Air 
Force  base-level  network  enclaves.  CSCS  also  offers  Air  Force  enter¬ 
prise  services,  including  messaging  and  collaboration,  storage,  and 
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controlled  environments  for  hosting  network-based  systems  that  sup¬ 
port  the  service's  missions. 


Cyber  Command  and  Control 
Mission  System  Weapon  System 

The  Cyber  Command  and  Control  Mission  System  (C3MS)  weapon 
system  enables  the  Air  Force  mission  by  synchronizing  the  service's 
other  cyber  weapon  systems  to  produce  operational-level  effects  in 
support  of  combatant  commanders  worldwide.  It  provides  operational- 
level  C2  and  situational  awareness  of  Air  Force  cyber  forces,  networks, 
and  mission  systems,  enabling  the  TWenty-Fourth  Air  Force  com¬ 
mander  to  develop  and  disseminate  cyber  strategies  and  plans;  the 
commander  can  then  execute  and  assess  these  plans  in  support  of  Air 
Force  and  joint  war  fighters.  Operated  by  the  624th  Operations  Center 
at  Joint  Base  San  Antonio-Lackland,  Texas,  the  C3MS  weapon  system 
has  crews  consisting  of  a  senior  duty  officer,  a  deputy  senior  duty  offi¬ 
cer,  a  defensive  cyberspace  watch  officer,  an  offensive  cyberspace 
watch  officer,  a  DOD  information  network  watch  officer,  three  defen¬ 
sive  cyber  operations  controllers,  three  offensive  cyber  operations  con¬ 
trollers,  three  DOD  information  network  operations  controllers,  a  cy¬ 
berspace  effects  planner,  a  cyberspace  operations  strategist,  a 
cyberspace  intelligence  analyst,  a  cyberspace  operations  assessment 
analyst,  and  a  cyberspace  operations  reporting  cell  analyst.  All  mission 
crews  are  supported  by  additional  mission  personnel.  The  C3MS 
weapon  system  evolved  from  the  legacy  AFNet  operations  security 
center's  concept,  personnel,  and  equipment.  With  the  activation  of  US 
Cyber  Command  and  TWenty-Fourth  Air  Force,  senior  leaders  recog¬ 
nized  the  need  for  an  operational-level  cyber  C2  capability. 

The  C3MS  is  the  single  Air  Force  weapon  system  offering  perpetual, 
overarching  awareness,  management,  and  control  of  the  service's  por¬ 
tion  of  the  cyberspace  domain.  It  ensures  unfettered  access,  mission 
assurance,  and  joint  war  fighters'  use  of  networks  and  information- 
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processing  systems  to  conduct  worldwide  operations.  The  weapon 
system  has  five  major  subcomponents: 

1.  situational  awareness:  produces  a  common  operational  picture  by 
fusing  data  from  various  sensors,  databases,  weapon  systems,  and 
other  sources  to  gain  and  maintain  awareness  of  friendly,  neutral, 
and  threat  activities  that  affect  joint  forces  and  the  Air  Force. 

2.  intelligence,  surveillance,  and  reconnaissance  (ISR)  products:  en¬ 
able  the  integration  of  cyberspace  indications  and  warning,  analy¬ 
sis,  and  other  actionable  intelligence  products  into  overall  situa¬ 
tional  awareness,  planning,  and  execution. 

3.  planning:  leverages  situational  awareness  to  develop  long-  and 
short-term  plans,  tailored  strategy,  courses  of  action;  shapes  ex¬ 
ecution  of  offensive  cyberspace  operations,  defensive  cyberspace 
operations,  and  DOD  information  network  operations. 

4.  execution:  leverages  plans  to  generate  and  track  various  cyber¬ 
space  tasking  orders  to  employ  assigned  and  attached  forces  in 
support  of  offensive  cyberspace  operations,  defensive  cyberspace 
operations,  and  DOD  information  network  operations. 

5.  integration  with  other  C2  nodes:  integrates  Air  Force-generated 
cyber  effects  with  air  and  space  operations  centers  (AOC),  US  Cy¬ 
ber  Command,  and  other  C2  nodes. 


Why  Cyber  Weapon  Systems? 

If  we  truly  wish  to  treat  cyberspace  as  an  operational  domain  no  dif¬ 
ferent  from  air,  land,  sea,  or  space,  then  our  thinking  must  evolve 
from  communications  as  a  supporting  function  to  cyber  as  an  opera¬ 
tional  war-fighting  domain.  To  fly  and  fight  effectively  and  to  win  in 
cyberspace,  the  Air  Force  must  properly  organize,  train,  and  equip  its 
cyber  professionals.  For  many  years,  AFNet  infrastructure  and  systems 
grew  as  a  result  of  multiple  communities  adding  components  to  suit 
their  individual  needs,  often  with  end-of-year  funds.  Similarly,  the 
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components  that  now  make  up  these  six  systems  had  no  lead  major 
command  to  articulate  operational  requirements  and  ensure  standard¬ 
ized  training  as  well  as  the  effective  management  and  resourcing  of 
equipment  life  cycles.  Such  an  inconsistent  approach  made  mission 
assurance  and  the  defense  of  critical  Air  Force  and  joint  missions  in 
cyberspace  nearly  impossible.  Migration  to  the  AFNet  has  allowed  the 
service  to  take  great  strides  towards  realizing  the  vision  from  nearly 
two  decades  ago  of  operationalizing  and  professionalizing  the  network. 
AFSPC  championed  the  effort  to  identify  these  six  systems'  weapon 
systems  and  facilitate  this  move  to  a  more  disciplined  approach.  For¬ 
mally  designating  these  systems  helps  ensure  proper  management 
and  sustainment  of  equipment  life  cycles.  It  also  expedites  the  evolu¬ 
tion  of  Air  Force  cyber  professionals  from  a  communications  or  infor¬ 
mation  technology  mind-set  to  an  operational  one  replete  with  mission- 
qualification  training,  crew  force-management  standards,  and 
standardization  and  evaluation  programs  (where  appropriate)  to  nor¬ 
malize  cyber  operations,  as  is  the  case  with  space  and  missile  opera¬ 
tions.  Furthermore,  formally  designated  weapon  systems  should  help 
cyber  receive  the  proper  manning  and  programmatic  funding  neces¬ 
sary  to  ensure  that  the  Air  Force  can  fly,  fight,  and  win  in  cyberspace. 

The  DOD  construct  for  the  management  and  resourcing  of  air,  space, 
land,  and  sea  superiority  occurs  via  weapon  systems.  The  best  way  to 
create  and  control  effects  in  the  cyber  domain  involves  using  the  same 
weapon  system  construct  to  manage  and  resource  cyber  capabilities. 
Cyber  weapon  systems  offer  a  path  for  the  Air  Force  to  operationalize, 
normalize,  and  ultimately  standardize  cyber,  just  as  we  have  with  the 
other  war-fighting  domains.  The  Air  Force  has  been  charged  with  secur¬ 
ing,  operating,  and  defending  its  portion  of  the  DOD  information  net¬ 
works  and  with  defending  Air  Force  and  joint  missions  in  the  cyber¬ 
space  domain.  These  cyber  weapon  systems  give  the  Air  Force  a  path 
to  follow  in  normalizing  operations  to  realize  this  goal. 

The  designation  of  cyber  weapon  systems  created  a  separate  cyber¬ 
sustainment  funding  line  in  the  overall  process  of  sustaining  Air  Force 
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weapon  systems.  By  normalizing  the  funding  process,  the  service  has 
instituted  proper  long-term  planning  and  programming  of  sustainment 
funding,  thus  enabling  more  effective  and  efficient  use  of  these  lim¬ 
ited  resources,  as  compared  to  uncoordinated  execution  of  unreliable 
end-of-year  funds— key  tenets  to  guaranteeing  standardized  configura¬ 
tion  management  and  servicewide  (and,  where  applicable,  joint)  in¬ 
teroperability.  We  are  already  realizing  these  benefits  through  the  de¬ 
ployment  of  AFNet,  whereby  the  Air  Force  enterprise  has  become 
easier  to  defend  and  the  user  experience  continues  to  improve  through 
ongoing  standardization. 

The  benefits  of  designating  cyberspace  weapon  systems  are  similar 
to  those  gained  by  weapon  systems  in  other  domains— it  is  the  stan¬ 
dard  Air  Force  mechanism  for  organizing,  training,  equipping,  and  pre¬ 
senting  mission  capabilities.  The  weapon  system  construct  allows  the 
service  to  manage  operational  capabilities  in  a  formalized  approach 
and  assure  their  standardization,  sustainment,  and  availability  to  com¬ 
batant  commanders.  When  AFSPC  personnel  compared  the  air  and 
space  domains'  normalization  processes,  they  found  that  only  weapon 
system  designation  delivered  the  desired  end  state.  Such  systems  may 
not  always  be  ideally  resourced,  but  they  certainly  receive  better  sup¬ 
port  than  they  would  without  designations. 

Furthermore,  designating  cyberspace  weapon  systems  directly  sup¬ 
ports  AFSPC's  role  as  cyber  core  function  lead  integrator,  enabling  the 
command  to  meet  responsibilities  listed  in  Air  Force  Policy  Directive 
10-9  and  facilitating  standardization  across  cyberspace  platforms.4 
Designating  these  weapon  systems  is  also  critical  to  providing  tactical 
units  with  the  resources  and  training  they  need  to  operate  in  a  normal¬ 
ized  capacity.  The  core  of  cross-domain  integration  lies  in  the  ability  to 
leverage  capabilities  from  different  domains  to  create  unique  and  deci¬ 
sive  effects— if  adequately  resourced.  Such  designations  will  support 
proper  evolution  of  the  cyberspace  domain  and  its  relationship  with 
the  other  operational  domains— a  critically  important  point  because  in 
modern  warfare,  cyberspace  interconnects  all  domains.  All  of  these  ef- 
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forts  to  normalize  and  operationalize  cyberspace  operations  and  mis¬ 
sions  drive  the  Air  Force  towards  the  joint  information  environment 
(JIE)  construct,  standards,  and  processes.  As  the  DOD,  US  Cyber  Com¬ 
mand,  and  services  implement  the  JIE,  they  are  also  standing  up  cyber 
mission  teams  to  support  national,  combatant  command,  and  service- 
specific  cyber  requirements.  Designating  these  capabilities  as  weapon 
systems  allows  these  teams  to  better  support  national  and  joint  mis¬ 
sions  in,  through,  and  from  cyberspace. 


Unique  Challenges  of  the  Cyber  Domain 

The  air,  land,  sea,  and  space  domains  are  natural  areas— we  didn’t 
have  to  build  them,  as  we  did  the  tools  to  leverage  those  domains.  Al¬ 
though  none  of  the  natural  domains  demands  any  maintenance,  cyber¬ 
space  predominantly  exists  within  the  equipment  and  devices  de¬ 
signed,  built,  and  configured  by  humans,  requiring  constant 
maintenance  as  equipment  becomes  outdated  or  worn  out.  Addition¬ 
ally,  the  way  we  construct  cyberspace  has  a  direct  effect  on  our  ability 
to  operate  and  defend  the  domain.  This  aspect  makes  cyberspace 
unique  in  that  its  operation  is  just  as  important  as  its  defense.  We  must 
constantly  feed  and  care  for  the  domain  as  well  as  innovate  to  stay 
ahead  of  or,  preferably,  drive  the  technology  curve. 

Defending  cyber  also  presents  its  own  challenges  since  an  adversary 
can  launch  a  cyber  attack  virtually  without  warning  from  any  location 
on  the  globe.  In  the  case  of  intercontinental  ballistic  missiles,  we  at 
least  have  sensors  that  detect  the  launch;  thus,  depending  on  the  loca¬ 
tion  of  the  launch,  our  forces  have  some  modicum  of  warning  and  can 
respond.  In  cyberspace,  attacks  can  occur  without  warning  or  time  to 
craft  and  execute  responses.  The  Air  Force  must  develop  capabilities  to 
detect  such  attacks,  prevent  them  if  possible,  and  respond  accordingly 
if  required,  just  as  it  does  in  all  other  war-fighting  domains.  We  must 
also  develop  the  tools  to  leverage  cyberspace  for  our  own  benefit.  In 
reality,  we  may  never  be  able  to  defend  our  networks  completely— to 
do  so  would  likely  require  so  much  security  that  we  lose  the  force- 
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multiplying  benefits  that  cyberspace  offers  to  all  of  our  missions.  If  we 
keep  all  adversaries  out,  most  likely  we  will  keep  ourselves  locked  in. 
The  key  lies  in  finding  a  balance  so  that  we  effectively  defend  our  net¬ 
works  and  the  missions  that  rely  on  them  from  attack  yet  leverage  cy¬ 
berspace  for  the  benefit  it  offers  those  same  missions. 

Moreover,  cyberspace  is  critical  to  Air  Force  and  joint  operations  in 
the  other  war-fighting  domains.  Practically  everything  we  do  in  war¬ 
fare  these  days  relies  on  cyberspace,  be  it  providing  telemetry  to  satel¬ 
lites  and  missiles  or  controlling  our  military  forces  in  Afghanistan— we 
depend  upon  the  cyber  domain  to  execute  operations  in  all  of  the 
other  domains. 

Designating  cyberspace  weapon  systems  calls  for  a  tremendous  re¬ 
source  commitment  to  meet  the  standards  of  air  and  space  weapon 
systems.  Operating  to  this  higher  benchmark  requires  corresponding 
funding  and  manpower  greater  than  the  cyberspace  domain  received 
as  a  simple  communications  or  information  technology  support  func¬ 
tion.  However,  failure  to  make  these  commitments  could  prove  devas¬ 
tating  to  future  operations  throughout  every  other  domain.  The  opera¬ 
tionalization  of  cyberspace  is  more  than  just  a  way  for  AFSPC  to 
properly  organize,  train,  and  equip  cyberspace  forces— it  is  the  logical 
evolution  of  cyberspace  to  a  true  war-fighting  domain  and  a  critical  en¬ 
abler  of  all  other  war-fighting  operations. 


Air  and  Space  Operating  Center  Example 

In  the  late  1990s,  the  Air  Force  designated  the  Falconer  AOC  a 
weapon  system  with  little  or  no  formal  acquisition,  sustainment,  or  re¬ 
quirements  rigor  to  back  it  up.  Basically,  the  chief  of  staff  just  made  it 
a  "go  do.”  The  operations  community  found  itself  backing  into  the  re¬ 
quirements  in  much  the  same  way  we  do  today  with  our  cyberspace 
systems.  By  declaring  the  AOC  a  weapon  system,  the  Air  Force  sought 
to  normalize  what  was  basically  a  homegrown  "county  option”  collec¬ 
tion  of  equipment  and  personnel  that  varied  from  one  numbered  air 
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force  to  another.  This  thinking  held  that  a  designated  weapon  system 
would  result  in  better  training  for  AOC  crews,  better  defense  of  the 
program  in  the  program  objective  memorandum  process,  and  some 
protection  of  the  numbered  air  force's  staff  manpower  from  poaching 
to  fill  AOC  billets. 

In  reality,  the  AOC  funding  line  has  suffered  numerous  cuts,  the 
equipment  baseline  has  always  been  problematic  in  terms  of  sustain¬ 
ment  and  modernization,  and  AOC  manpower  has  remained  subject 
to  several  efficiency  drills,  ultimately  shrinking  the  footprint.  It 
stands  to  reason  that  many  members  of  the  operations  community 
would  argue  that  classification  as  a  weapon  system  has  not  necessar¬ 
ily  helped  the  AOC. 

In  Air  Combat  Command's  opinion,  though,  in  spite  of  the  serious 
challenges  faced  during  the  transition,  the  AOC  is  better  off  today 
than  it  was  15  years  ago,  especially  in  terms  of  training  its  crews.  A 
dedicated  formal  training  unit  at  Hurlburt  Field,  Florida,  established  a 
program  of  record,  provided  a  rigorous  configuration  and  change- 
management  process,  and  ultimately  resulted  in  recognition  by  the 
operations  community  that  the  AOC  is  the  crown  jewel  in  the  joint 
force  air  component  commander's  tactical  air  control  system  C2  con¬ 
cept.  Additionally,  assignment  to  an  AOC  tour  is  no  longer  considered 
a  career-ending  event  for  rated  officers— quite  a  change  from  the  per¬ 
ception  in  the  1990s  when  an  assignment  to  a  numbered  air  force 
staff  or  an  AOC  was  widely  seen  as  the  kiss  of  death  for  promotion  in 
the  rated  career  fields. 

AFSPC  would  not  let  the  initial  pains  of  the  AOC  experience  deter  us 
from  pushing  the  cyberspace  weapon  system  concept  forward.  Every 
program  (fighters,  bombers,  and  ISR)  confronted  its  fair  share  of  chal¬ 
lenges,  but  without  a  program— something  with  a  name  attached  to 
it— cyberspace  systems  would  always  fight  for  scraps  in  money  and 
manpower.  As  we  integrate  these  cyberspace  weapon  systems  into  the 
Air  Force  construct,  perhaps  we  can  learn  from  the  challenges  of  es- 
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tablishing  the  AOC  weapon  system  and  avoid  the  same  pitfalls  and 
mistakes. 


Final  Thoughts 

Through  the  cyberspace  domain,  the  United  States  exploits  other 
war-fighting  domains.  Practically  all  warfare  these  days  relies  on  cyber¬ 
space— everything  from  communications,  precision  navigation  and  tim¬ 
ing,  attack  warning,  ISR,  and  C2.  Designating  cyberspace  weapon  sys¬ 
tems  will  help  the  Air  Force  guarantee  persistent  cyberspace  access 
and  mission  assurance  for  other  critical  weapon  systems  and  domains 
that  rely  on  cyberspace.  By  doing  so,  the  service  has  made  a  commit¬ 
ment  that  cyberspace  will  receive  the  programmatic  and  budgetary  at¬ 
tention  necessary  to  sustain  cyberspace  operations,  support  the  cyber 
mission  teams,  and  drive  towards  the  JIE.  Furthermore,  cyberspace  op¬ 
erations  supported  by  core  weapon  systems  offer  increased  security, 
performance,  flexibility,  and  overall  capability  unmatched  in  a  less  nor¬ 
malized  environment.  The  operationalization  of  cyberspace  is  more 
than  just  a  way  for  AFSPC  to  properly  organize,  train,  and  equip  the  cy¬ 
berspace  domain— it  is  the  logical  evolution  of  cyberspace  to  a  true  war¬ 
fighting  domain  and  a  critical  enabler  of  all  other  such  domains.  © 


Notes 

1.  Joint  Publication  1-02,  Department  of  Defense  Dictionary  of  Military  and  Associated 
Terms,  8  November  2010  (as  amended  through  15  June  2013),  303,  http://www.dtic.mil 
/doctrine/new_pubs/jpl_02.pdf. 

2.  Joint  Publication  3-13,  Information  Operations,  27  November  2012,  II-9,  http://www 
.dtic.mil/doctrine/new_pubs/jp3_13.pdf. 

3.  Mandiant,  APT1:  Exposing  One  of  China's  Cyber  Espionage  Units  ([Washington,  DC: 
Mandiant,  2013]),  2,  3,  20,  59,  http://intelreport.mandiant.com/Mandiant_APTl_Report.pdf. 

4.  Air  Force  Policy  Directive  10-9,  Lead  Command  Designation  and  Responsibilities  for 
Weapon  Systems,  8  March  2007,  http://static.e-publishing.af.mi1/production/l/af_a3_5 
/publication/ afpdl0-9/afpdl0-9. pdf. 
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